Skip to main content

Request SSL certificates from letsencrypt.org

Project description

License: AGPL-3

Request SSL certificates from letsencrypt.org

This module was written to have your Odoo installation request SSL certificates from https://letsencrypt.org automatically.

Installation

After installation, this module generates a private key for your account at letsencrypt.org automatically in $data_dir/letsencrypt/account.key. If you want or need to use your own account key, replace the file.

For certificate requests to work, your site needs to be accessible via plain HTTP, see below for configuration examples in case you force your clients to the SSL version.

After installation, trigger the cronjob Update letsencrypt certificates and watch your log for messages.

This addon depends on the openssl binary and the acme_tiny and IPy python modules. If you use https in your nginx or apache configuration, openssl should already be installed.

If you still need to install the OpenSSL binary you can use your distro package manager. For Debian and Ubuntu, that would be:

sudo apt-get install openssl

For installing the ACME-Tiny python module, use the PIP package manager:

sudo pip install acme-tiny

For installing the IPy python module, use the PIP package manager:

sudo pip install IPy

Configuration

This addons requests a certificate for the domain named in the configuration parameter web.base.url - if this comes back as localhost or the like, the module doesn’t request anything.

If you want your certificate to contain multiple alternative names, just add them as configuration parameters letsencrypt.altname.N with N starting from 0. The amount of domains that can be added are subject to rate limiting.

Note that all those domains must be publicly reachable on port 80 via HTTP, and they must have an entry for .well-known/acme-challenge pointing to your odoo instance.

Usage

The module sets up a cronjob that requests and renews certificates automatically.

After the first run, you’ll find a file called domain.crt in $datadir/letsencrypt, configure your SSL proxy to use this file as certificate.

Try me on Runbot

For further information, please visit:

In depth configuration

This module uses openssl to generate CSRs suitable to be submitted to letsencrypt.org. In order to do this, it copies /etc/ssl/openssl.cnf to a temporary and adapts it according to its needs (currently, that’s just adding a [SAN] section if necessary). If you want the module to use another configuration template, set config parameter letsencrypt.openssl.cnf.

After refreshing the certificate, the module attempts to run the content of letsencrypt.reload_command, which is by default sudo service nginx reload. Change this to match your server’s configuration.

You’ll also need a matching sudo configuration, like:

your_odoo_user ALL = NOPASSWD: /usr/sbin/service nginx reload

The line above can be added to /etc/sudoers through the visudo command.

If your distribution supports it, like Debian does, you can create and edit an automatically included file through visudo -f /etc/sudoers.d/letsencrypt. This will also put the right authorities on the file (-r–r—–).

The server that provides the certificates will try to check that you actually control the host that you request a certificate for. It will do this by requesting through http a file from an uri that contains /.well-known/acme-challenge/xxx. The letsencrypt module provides a controller that will provide this uri from the Odoo server, but we have to configure the frontend nginx or apache server to accept http for these uri’s.

Therefore, if you force users to https, you’ll need something like this for nginx:

if ($scheme = "http") {
    set $redirect_https 1;
}
if ($request_uri ~ ^/.well-known/acme-challenge/) {
    set $redirect_https 0;
}
if ($redirect_https) {
    rewrite ^   https://$server_name$request_uri? permanent;
}

and this for apache:

RewriteEngine On
RewriteCond %{HTTPS} !=on
RewriteCond %{REQUEST_URI} "!^/.well-known/"
RewriteRule ^/?(.*) https://%{SERVER_NAME}/$1 [R,L]

In case you need to redirect other nginx sites to your Odoo instance, declare an upstream for your odoo instance and do something like:

location /.well-known {
    proxy_pass    http://yourodooupstream;
}

If you’re using a multi-database installation (with or without dbfilter option) where /web/databse/selector returns a list of more than one database, then you need to add letsencrypt addon to serverwide load addons list (by default, only web addon), setting --load option. For example, --load=web,letsencrypt

Bug Tracker

Bugs are tracked on GitHub Issues. In case of trouble, please check there if your issue has already been reported. If you spotted it first, help us smashing it by providing a detailed and welcomed feedback here.

Credits

Contributors

ACME implementation

Icon

Maintainer

Odoo Community Association

This module is maintained by the OCA.

OCA, or the Odoo Community Association, is a nonprofit organization whose mission is to support the collaborative development of Odoo features and promote its widespread use.

To contribute to this module, please visit https://odoo-community.org.

Project details


Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distributions

No source distribution files available for this release.See tutorial on generating distribution archives.

Built Distribution

File details

Details for the file odoo8_addon_letsencrypt-8.0.1.0.0.99.dev26-py2-none-any.whl.

File metadata

File hashes

Hashes for odoo8_addon_letsencrypt-8.0.1.0.0.99.dev26-py2-none-any.whl
Algorithm Hash digest
SHA256 8a5d7d19a490570eb13fa1c9bb5bdfddc75f70763e63ca6920563b6af7e300f4
MD5 39947895cb8e85961ddc660f03ac9b3e
BLAKE2b-256 f418dd9e6288cf38d8be78e212998086afc9e6255c7f177f2284f0b448231003

See more details on using hashes here.

Supported by

AWS AWS Cloud computing and Security Sponsor Datadog Datadog Monitoring Fastly Fastly CDN Google Google Download Analytics Microsoft Microsoft PSF Sponsor Pingdom Pingdom Monitoring Sentry Sentry Error logging StatusPage StatusPage Status page